CN100487715C - Date safety storing system, device and method - Google Patents
Date safety storing system, device and method Download PDFInfo
- Publication number
- CN100487715C CN100487715C CNB2007100626956A CN200710062695A CN100487715C CN 100487715 C CN100487715 C CN 100487715C CN B2007100626956 A CNB2007100626956 A CN B2007100626956A CN 200710062695 A CN200710062695 A CN 200710062695A CN 100487715 C CN100487715 C CN 100487715C
- Authority
- CN
- China
- Prior art keywords
- data
- operating platform
- encryption
- key
- memory device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data safe storage system, device and method, comprising operating platform and storage device and also comprising: creditable calculating unit, used to protect secret key for encrypting and decrypting the data read/written between the operating platform and the storage device; encrypting and decrypting unit, used to read secret key from the creditable calculating unit and use the corresponding set encryption and decryption algorithm to encrypt and decrypt the data read/written between the operating platform and the storage device; control unit, used to initialize the creditable calculating unit and the encrypting and decrypting unit and control the encrypting and decrypting unit to use the secret key to encrypt and decrypt the data read/written between the operating platform and the storage device. And its requirements for user operation are low, the use course is simple and it is adapted to user requirements.
Description
Technical field
The present invention relates to the data security field, particularly relate to a kind of system and device and method of encryption and decryption safe storage of believable data.
Background technology
Fast development along with modern communications technology, treatment capacity to data in communication apparatus is also increasing, a lot of data in the communication apparatus also need be in operational process, perhaps behind end of run, store in the different memory devices, as random-access memory (RAM), hard disk, perhaps flash memory (Flash) etc.The existing microcomputer of such communication apparatus (PC), also have little, in, large server, and notebook computer also has mobile phone, PDA, USB flash disk, various novel mobile communication equipments such as MP3, MP4.
The data of storing in the communication apparatus as the data in the computing machine, usually are stored on the hard disk; if and store some security higher data with hard disk; as secret of the trade, national security secret, national defence peace data or the like; if this hard disk is lost or stolen will bring very big danger; especially for portable set and mobile device, they can more conveniently carry usually, and are also just more dangerous; the requirement of safeguard protection aspect is higher, and security threat can be bigger.
Usually, for the safety of data in storage, the user of communication apparatus may utilize some encipher-decipher methods that data are encrypted, just store into then in the corresponding memory device.
To the interim or data of permanent storage in memory device, and the method for the encryption and decryption of communication data transmission, the product of realization has been arranged all in the ordinary skill person of going into.It is to come enciphered data with a key that most of technician adopt encipher-decipher method, simultaneously, requirement receives the data of encrypted transmission or has with encrypting side key identical or pairing and could decipher from a side who is stored in memory device reading encrypted data usually.Therefore, either party unwarranted personnel should not know or obtain key, must not encryption and decryption data, and the data that can not obtain to be correlated with, thus reach safeguard protection to the storage data.
Chinese patent application number: 200610000047.3 disclose a kind of data securities storage and disposal route of movable storage device; it relates to the data protection technology of movable storage device, particularly is independent of intelligent code key and data storage, the disposal route of the independent special mobile memory device that uses.It is to need the data creation of encipherment protection to be specific to the virtual encrypt file catalogue of validated user in the movable storage device with mobile insurance cabinet system instrument.Validated user can be created therein, modification and deleted file; can be dragged and dropped into the data of unencryption protection in the movable storage device and implement in the mobile insurance cabinet to encrypt; also the data of encrypted protection in the mobile insurance cabinet can be dragged and dropped into the public domain of unencryption protection in the movable storage device, to implement deciphering.For the disabled user, the mobile insurance cabinet is the disk file of an encryption forever, can not open, and can not obtain content wherein.
Chinese patent application number: 200510124652.7 also disclose a kind of equipment, system and method that is used to store the transparent end-to-end security of data.This invention comprises the one or more client computer that communicate with server.The client computer expectation sends to storage server with storage organization.Client computer and server are held consultation about transmission security key.Client computer produces the storage key that is associated with storage organization specially.Client computer uses storage key that storage organization is encrypted, and uses transmission security key that storage key is encrypted.The storage organization of encryption and the storage key of encryption are sent to server.Server uses transmission security key that storage key is deciphered.Server is storage organization on the memory device different with the memory device that is used for storage key.Preferably, follow the tracks of about storage organization position, storage key position, or any variation of storage organization name, and to suitably revising about the position of storage organization and the related of position of corresponding stored key.
But, the method for security protection of existing encryption and decryption stored data, too high to customer requirements, use is comparatively complicated, can not adapt to user's requirement.
Summary of the invention
The object of the present invention is to provide a kind of date safety storing system and device and method, it requires low to user's operation, and use is simple, adapts to user's requirement.
A kind of date safety storing system for realizing that the object of the invention provides comprises operating platform, and memory device also comprises trust calculation unit, encryption/decryption element, wherein:
Described trust calculation unit is used to protect the key that the data of reading and writing between operating platform and memory device is carried out encryption and decryption;
Described encryption/decryption element is used for reading key from trust calculation unit, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of reading and writing between operating platform and the memory device are carried out encryption and decryption.
Described date safety storing system can also comprise control module, is used for trust calculation unit and encryption/decryption element are carried out initialization, and controls the data that encryption/decryption element utilizes the key encryption and decryption to read and write between operating platform and memory device.
The protection of described trust calculation unit is for passing through marking matched judgement of uniqueness and the control operation platform data security storage read-write to memory device.
Described key is stored in trust calculation unit.
Described trust calculation unit is also stored first uniqueness sign of the operating platform that is used for matching judgment.
Described control module can comprise the key judgment sub-unit, the read-write control sub unit, wherein:
Whether the key judgment sub-unit is used for judging whether trust calculation unit has key, need reading and writing data between operating platform and memory device carried out encryption and decryption, and identify according to second uniqueness of judged result read operation platform;
The read-write control sub unit is used for when operating platform reads the data of memory device, and the control encryption/decryption element carries out encryption and decryption to reading and writing data between operating platform and the memory device.
Described control module can also comprise the initialization subelement, is used for operating platform hardware and powers up, and when initializers are carried out initialization, loads trusted computation environment, and the initialization trusted computation environment.
Described encryption/decryption element can comprise reading of data deciphering subelement and write the data encryption subelement, wherein:
Reading of data deciphering subelement is used for, these data being intercepted and captured and being resolved during to the memory device reading of data at operating platform, obtain original enciphered data,, obtain clear data this data decryption, by former transformat clear data is packed then, be transferred to operating platform;
Write the data encryption subelement, be used for when operating platform writes data to memory device, these data are intercepted and captured and resolved, obtain original clear data,, obtain enciphered data this data encryption, by former transformat enciphered data is packed then, be written in the memory device and go.
Described trust calculation unit can comprise the coupling control sub unit, is used to read first uniqueness sign, and this first uniqueness is identified the marking matched inspection of second uniqueness of reading with the key judgment sub-unit.
Described trust calculation unit can also comprise the key storing sub-units, is used to store the encryption and decryption key and first uniqueness sign.
Described trust calculation unit can also comprise further that key generates subelement, is used for generating corresponding encryption and decryption key according to operating platform first uniqueness sign.
The computer system platform of described operating platform, perhaps Single Chip Microcomputer (SCM) system platform, the perhaps network platform of the common client/server of forming of the network of the described mobile phone of mobile phone, PDA, USB flash disk, MP3, MP4 and operation, PDA, USB flash disk, MP3, MP4.
Described memory device is RAM, perhaps hard disk, perhaps a kind of in the flash memory or more than one combination.
Described uniqueness sign for computer system, comprising:
The series number of computer motherboard; Perhaps
The central processing unit sequence number; Perhaps
Equipment Serial Number; Perhaps
The operating system sequence number; Perhaps
A kind of in the application software sequence number or more than one combination.
Described uniqueness sign for communications network system, comprising:
The SIM card of mobile phone number; Perhaps
A kind of or both combinations in the international mobile phone identification code of mobile phone.
Described uniqueness is designated carries out Hash operation to the characteristic of representing software platform, hardware platform in the operating platform, the integrity measurement value of gained result of calculation.
It can be to generate the encryption and decryption key by hash function that described key generates subelement.
Described enciphering and deciphering algorithm is the DES algorithm, perhaps IDEA algorithm, perhaps aes algorithm, perhaps RSA Algorithm, perhaps Diffie-Hellman algorithm, a kind of in the ECC algorithm or more than one combination.
For realizing that the object of the invention also provides a kind of data safety storage device, be electrically connected with operating platform and memory device, comprise trust calculation unit, encryption/decryption element, wherein:
Described trust calculation unit is used to protect the key that the data of reading and writing between operating platform and memory device is carried out encryption and decryption;
Described encryption/decryption element is used for reading key from trust calculation unit, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of reading and writing between operating platform and the memory device are carried out encryption and decryption.
Described date safety storing system can also comprise control module, is used for trust calculation unit and encryption/decryption element are carried out initialization, and controls the data that encryption/decryption element utilizes the key encryption and decryption to read and write between operating platform and memory device.
The protection of described trust calculation unit is for passing through marking matched judgement of uniqueness and the control operation platform data security storage read-write to memory device.
Described key is stored in trust calculation unit.
Described trust calculation unit is also stored first uniqueness sign of the operating platform that is used for matching judgment.
Described control module can comprise the key judgment sub-unit, the read-write control sub unit, wherein:
Whether the key judgment sub-unit is used for judging whether trust calculation unit has key, need reading and writing data between operating platform and memory device carried out encryption and decryption, and identify according to second uniqueness of judged result read operation platform;
The read-write control sub unit is used for when operating platform reads the data of memory device, and the control encryption/decryption element carries out encryption and decryption to reading and writing data between operating platform and the memory device.
Described control module can also comprise the initialization subelement, is used for operating platform hardware and powers up, and when initializers are carried out initialization, loads trusted computation environment, and the initialization trusted computation environment.
Described encryption/decryption element can comprise reading of data deciphering subelement and write the data encryption subelement, wherein:
Reading of data deciphering subelement is used for, these data being intercepted and captured and being resolved during to the memory device reading of data at operating platform, obtain original enciphered data,, obtain clear data this data decryption, by former transformat clear data is packed then, be transferred to operating platform;
Write the data encryption subelement, be used for when operating platform writes data to memory device, these data are intercepted and captured and resolved, obtain original clear data,, obtain enciphered data this data encryption, by former transformat enciphered data is packed then, be written in the memory device and go.
Described trust calculation unit can comprise the coupling control sub unit, is used to read first uniqueness sign, and this first uniqueness is identified the marking matched inspection of second uniqueness of reading with the key judgment sub-unit.
Described trust calculation unit can also comprise the key storing sub-units, is used to store encryption and decryption key and uniqueness sign.
Described trust calculation unit can further include key and generates subelement, is used for generating corresponding encryption and decryption key according to operating platform uniqueness sign.
Described data safety storage device, or a kind of hardware device that is independent of operating platform and memory device, or the part of storage device control apparatus, or the part of the hardware platform in the operating platform, or one section software of BIOS chip loading, or one section software of EFI chip loading.
For realizing that the object of the invention also provides a kind of data security storage means, comprise the following steps:
Steps A when needs are handled data in the memory device, powers on and initialization to operating platform, and the initialization trusted computation environment, by the marking matched judgement of uniqueness and the control operation platform data security storage read-write to memory device;
Step B after confirming to carry out the data security storage read-write to memory device, reads key, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of reading and writing between operating platform and the memory device are carried out encryption and decryption.
In the described steps A, to the data security storage read-write of memory device, specifically comprise the following steps: by the marking matched judgement of uniqueness and control operation platform
Steps A 1, whether in trusted computation environment have key, if not then change steps A 2 if judging; Otherwise change steps A 4;
Steps A 2, whether judging reads and writes data between this operating platform and memory device needs to carry out encryption and decryption; If not, then normally start, the data of reading and writing between operating platform and the memory device are not carried out any processing, the user normally uses the back to finish; Otherwise change steps A 3;
Steps A 3 generates corresponding encryption and decryption key, forwards step B to;
Steps A 4 if there has been key to exist in the trust calculation unit, then reads first uniqueness sign, and this first uniqueness sign and second uniqueness sign that reads from this operating platform are carried out matching check;
Steps A 5 if coupling is passed through, is then checked and is passed through, and obtains key, forwards step B to; Otherwise, provide information after, finish to return.
Described steps A 4 also comprises the following steps:
When reading first uniqueness sign, specify to require the user to check password, different if the user enters password with the password of this first uniqueness sign, then do not allow the user to obtain this first uniqueness sign.
Among the described step B data of reading and writing between operating platform and the memory device are carried out encryption and decryption, specifically comprise the following steps:
Step B1 when operating platform reads data in the memory device, intercepts and captures these data and resolve, and obtains original enciphered data, with this data decryption, obtains clear data, by former transformat clear data is packed then, is transferred to operating platform;
Step B2 when operating platform writes data to memory device, intercepts and captures these data and resolve, and obtains original clear data, with this data encryption, obtains enciphered data, by former transformat enciphered data is packed then, is written in the memory device and goes.
Described uniqueness sign for computer system, comprising:
The series number of computer motherboard; Perhaps
The central processing unit sequence number; Perhaps
Equipment Serial Number; Perhaps
The operating system sequence number; Perhaps
A kind of in the application software sequence number or more than one combination.
Described uniqueness sign for communications network system, comprising:
The SIM card of mobile phone number; Perhaps
A kind of or both combinations in the international mobile phone identification code of mobile phone.
Described uniqueness is designated carries out Hash operation to the characteristic of representing software platform, hardware platform in the operating platform, the integrity measurement value of gained result of calculation.
Described key generates can be for generating the encryption and decryption key according to the uniqueness sign by hash function.
Described enciphering and deciphering algorithm is the DES algorithm, perhaps IDEA algorithm, perhaps aes algorithm, perhaps RSA Algorithm, perhaps Diffie-Hellman algorithm, a kind of in the ECC algorithm or more than one combination.
The invention has the beneficial effects as follows: date safety storing system of the present invention and device and method, to operating platform (as computer system, perhaps mobile data transmission system etc.) data of reading and writing in memory device are carried out encryption and decryption, and the encryption and decryption key is by trust calculation unit protection and management with platform binding characteristic in the system, make for the operating system and application software of platform, the data write process is transparent, and is safe; Further; structure and managing keys are guaranteed by trust calculation unit; the security that promptly has hardware-level; this trust calculation unit and operating platform binding; not visiting this operating platform just can't be decrypted institute's enciphered data; thereby guarantee its security more; if promptly this memory device reloads in other the operating platform; the data that are stored in this memory device can not decryptedly be read and write, and this is for portable equipment user, military user or have the user that sensitive data needs protection significant.
Description of drawings
Fig. 1 is a date safety storing system structural representation of the present invention;
Fig. 2 is a trust calculation unit structural representation among Fig. 1;
Fig. 3 is an encryption/decryption element structural representation among Fig. 1;
Fig. 4 is a control module structural representation among Fig. 1;
Fig. 5 is a data security storage means process flow diagram of the present invention;
Fig. 6 controls the process approach process flow diagram that reads and writes data for judging among Fig. 5;
Fig. 7 is the transparent date safety storing system exemplary plot of the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, a kind of date safety storing system of the present invention and device and method are further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
As shown in Figure 1, date safety storing system of the present invention comprises operating platform 11, memory device 13, trust calculation unit 121, encryption/decryption element 122 and control module 123.
Operating platform 11 is used for service data is handled, and it both can be a computer system platform, also can be the system platform of similar computer system platform of other client/server, as the Single Chip Microcomputer (SCM) system platform; A kind of mobile communication equipment, the network that reads and writes data as its communication of mobile phone, PDA, USB flash disk, MP3, MP4 and operation, the network platform of the client/server of forming as the mobile communications network of mobile phone etc.
This operating platform 11 comprises hardware platform 72 and software platform 71.For computer system platform, this operating platform 11 both comprised to service data handle the hardware platform 72 that must possess, i.e. central processing unit (CPU), control bus, input-output device, and other peripherals etc.; Be also included within the software platform 71 of operation on the hardware platform 72, be initialization system software (bios software, EFI software etc.), operating system 712 (Windows operating system, Unix operating system, (SuSE) Linux OS etc.), device driver 713, application software 711 (as office automation software etc.), and other software (as killing poison software etc.).
For communication network platform, this operating platform 11 had both comprised hardware platform 72, i.e. mobile phone, and other hardware in the communication network, and as router, server entity equipment etc.; Also comprise software platform 71, i.e. server controls software, router Control Software, mobile phone Control Software etc.
Those of ordinary skill in the art is appreciated that also this memory device 13 also comprises a device driver and a driving governor, is used for reading and writing the data in memory sector of memory device 13 under the such system architecture of the present invention.
The uniqueness sign of this operating platform 11 can comprise that following uniqueness identifies the hardware platform 72 uniquenesss sign and the software platform 71 uniquenesss sign of this operating platform 11.
For computer system, comprising:
1) series number of computer motherboard; Perhaps
2) central processing unit (CPU) sequence number; Perhaps
3) equipment (as network interface card) sequence number; Perhaps
4) operating system 712 sequence numbers; Perhaps
5) application software 711 sequence numbers etc.
For communications network system, comprising:
1) SIM card of mobile phone number; Perhaps
2) the international mobile phone identification code of mobile phone (International Mobile EquipmentIdentity, IMEI) etc.
These can unique identification operating platform 11 hardware platform 72 and software platform 71 uniquenesss sign, be the uniqueness of this product of sign and generating at random when dispatching from the factory generally by the manufacturer, have uniqueness.For example, the mainboard series number can identify the source of whole computing machine; The mobile phone SIM card number can identify this user etc.And these uniqueness signs can be read.Therefore, in the present invention,, utilize the uniqueness sign to carry out matching check then, thereby make the encryption and decryption operation and operating platform 11 bindings that utilizes key by reading in these uniquenesss sign one or more.
This uniqueness sign also can be an integrity measurement value, and this integrity measurement value is that the characteristic of software platform 71, hardware platform 72 in the operating platform 11 is carried out HASH computing (hash computing just) gained result of calculation.This result is the integrity measurement value of operating platform 11.These integrity measurement values are regarded as the uniqueness sign of operating platform, the configuration information or the platform features of sign operating platform 11.
As a kind of embodiment, this reads the key that fixed data are carried out encryption and decryption to operating platform 11 and 13 of memory devices, by the uniqueness sign generation of operating platform.
Utilize the uniqueness sign,, generate and the corresponding key of enciphering and deciphering algorithm by key generation method.
In embodiments of the present invention,, utilize the uniqueness sign, generate key by Hash (HASH) function as a kind of enforceable method.
Hash function also is hash function or hash function, and (be called pre-mapping again, pre-image), by hashing algorithm, be transformed into the output of regular length, this output is exactly hashed value the input of random length exactly.It briefly is exactly a kind of function that the message compression of random length is arrived the eap-message digest of a certain regular length.Utilize one or more uniqueness sign,, generate unique hashed value by hash function.
Promptly utilize hash function to calculate the key of sign: HASH (sign)=mac; Wherein mac is unique hashed value of calculating with hash function HASH.
Preferably, utilize this unique hashed value, according to different enciphering and deciphering algorithms, by the key generation center of this enciphering and deciphering algorithm, the corresponding unique encryption and decryption key of regeneration.
For general enciphering and deciphering algorithm,,, generate unique hashed value once more, as the encryption and decryption key because therefore its key uniqueness can utilize hash function once more as symmetrical enciphering and deciphering algorithm.
But for rivest, shamir, adelman, because its key is that key is right, i.e. PKI and private key.Therefore, can only utilize this unique hashed value by the corresponding cipher key center of this rivest, shamir, adelman, generate PKI and private key, it is right to obtain key.
As preferred embodiment of the present invention, this enciphering and deciphering algorithm is symmetrical enciphering and deciphering algorithm, and like this, the key generative process can once be generated by hash function, also can twice generation.And symmetrical enciphering and deciphering algorithm is safer, and encryption/decryption speed is very fast, makes the read-write operational efficiency of memory device 13 can not incur loss.
In embodiments of the present invention, of particular note, this reads the key that fixed data are carried out encryption and decryption to operating platform 11 and 13 of memory devices, might not be generated by the uniqueness sign of operating platform.It also can generate with additive method, for example utilizes random number to generate, and stores in the trust calculation unit then.
Encryption/decryption element 122 is used for reading key from trust calculation unit 121, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of read-write between operating platform 11 and the memory device 13 are carried out encryption and decryption.
That is to say that utilize the key that reads from trust calculation unit 121, cryptographic operation platform 11 is written to the data of this memory device 13, simultaneously, operating platform 11 from the data that memory device 13 reads, is sent to operating platform 11 and handles after being decrypted.
The enciphering and deciphering algorithm of setting in encryption/decryption element 122 can be various and the corresponding existing enciphering and deciphering algorithm of key, can be in symmetrical enciphering and deciphering algorithm or the asymmetric enciphering and deciphering algorithm one or more.
The symmetry enciphering and deciphering algorithm, comprise data encryption algorithm (the Data Encryption Standard that comes from IBM Corporation and formally adopted by U.S. government, DES) algorithm, IDEA IDEA (the International DataEncryption Algorithm) algorithm that ETH in Zurich develops by Chinese scholar Xuejia Lai and JamesL.Massey, Belgium Joan Daemen and Vincent Rijmen submit to, (US National Institute of Standards andTechnology NIST) elects AES (Advanced EncryptionStandard) algorithm etc. of U.S.'s Advanced Encryption Standard as by American National Standard and technical institute.
Wherein, DES is the abbreviation of Data Encryption Standard (data encryption standards).It is a kind of cryptographic algorithm by IBM Corporation's development, and NBS announces that in 1977 over 20 years, it is active on the stage of international secret communication always, has played the part of crucial role its data encryption standards as the use of non-confidential departments.
DES is a block encryption algorithm, and he serves as that grouping is encrypted data with 64.DES also is a symmetry algorithm simultaneously: what encryption and decryption were used is same algorithm.Its secret key length is 56 (because each the 8th all is used as parity checking).
Asymmetric enciphering and deciphering algorithm includes RSA (Rivest, Shamir and Adlernan) algorithm, Diffie-Hellman algorithm, ECC (Elliptic Curves Cryptography, elliptic curve cipher coding theory) algorithm etc.
In the present embodiment, memory device 13 with support IDE/SATA controller 712 is an example, encryption/decryption element 122 is connected on the IDE/SATA controller 712, so just can support the hard disk of different types of support IDE/SATA controller 712 interfaces, not need memory device 13 to be made the encryption and decryption that any change just can realize data because of the present invention for these different memory devices 13.
When operating platform 11 needs to use trust calculation units 121 to guarantee to read and write data security in the memory device 13, operating platform 11 at first needs the hardware of deal with data is powered up, initializers such as bios software or EFI software are carried out initialization, at this moment, in bios software or EFI software, load trust calculation unit 121, the initialization trusted computation environment, setting is read and write data the memory device 13 (as hard disk) from operating platform 11 and whether is utilized key in the trust calculation unit 121, by encryption/decryption element 122 enciphering/decipherings.
Those of ordinary skill in the art also is appreciated that, can produce in the trust calculation unit 121 and store a plurality of different keys, different zone in the read-write memory device 13, for example: the C dish in the key A reading writing harddisk and invisible to other zone, key B read-write D dish and invisible to other zones, the rest may be inferred; And to the key in the trust calculation unit 121, also can manage according to different ranks, can not read and write the modification key as the general operation personnel, and super keeper can read key and revise original key, for example, original cipher key is just generated by mainboard uniqueness sign, need to increase the key that application software 711 a uniquenesss sign generates now, then super keeper reads key, and utilize new uniqueness to identify (mainboard sign+application software sign), generate new key, utilize original cipher key to read the data that write in the memory device 13 then, utilize new secret key encryption write storage device 13 again after the deciphering, last, new key is covered the deletion original cipher key.
Control module in the date safety storing system of the present invention can be a control module chip independently, also can be a control function circuit unit that is synthesized in the trust calculation unit.
Date safety storing system of the present invention; to operating platform 11 (as computer system; perhaps mobile data transmission system etc.) data of read-write in memory device 13 are carried out encryption and decryption; and the encryption and decryption key is by trust calculation unit 121 protections and management with platform binding characteristic; make for the operating system 712 and application software 711 of platform; the data write process is transparent, and is safe.
Correspondingly, the present invention also provides a kind of data safety storage device 12, is electrically connected with operating platform 11 and memory device 13, and it comprises trust calculation unit 121, encryption/decryption element 122 and control module 123.Wherein:
As shown in Figure 2, trust calculation unit 121 comprises that key generates subelement 1211, key storing sub-units 1212, and coupling control sub unit 1213, wherein:
Coupling control sub unit 1213 is used to read the uniqueness sign of original storage, and the marking matched inspection of uniqueness of the operating platform that this uniqueness sign is read during with initialization.
As a kind of enforceable method; coupling control sub unit 1213 is utilizing the encryption and decryption key to carry out the memory device cryptographic key protection; when beginning to discharge the encryption and decryption key and carrying out data encrypting and deciphering, trust calculation unit 121 utilizes the integrity measurement value of preserving in integrity measurement value that this computing generates and the platform configuration register to carry out matching check.Only under the situation of integrity measurement value coupling, just discharge key, otherwise refusal discharges key.
As the enforceable method of another kind, coupling control sub unit 1213 has had key to exist in confirming trust calculation unit 121, then from trust calculation unit 121, read the uniqueness sign, and uniqueness sign and the corresponding uniqueness sign that reads from this operating platform 11 carried out matching check, if coupling is passed through, then check and pass through, utilize this key to carry out enciphering/deciphering to reading and writing data; Otherwise the information that provides is (as " sorry, you have no right to read hard disk! ") after, finish to return.
Further, as another enforceable method, if key is generated by the uniqueness sign, then in trust calculation unit, only preserve key, coupling control sub unit 1213 has had key to exist in confirming trust calculation unit 121, then from trust calculation unit 121, read this key, control trust calculation unit 121 then with this secret key decryption, reduction obtains the uniqueness sign of operating platform 11, and deciphering uniqueness sign of coming out and the corresponding uniqueness sign that reads from this operating platform 11 are carried out matching check by coupling control sub unit 1213, if coupling is passed through, then check and pass through, utilize this key to carry out enciphering/deciphering to reading and writing data; Otherwise, finish to return after providing information.
From key, pass through to utilize and generate the opposite process of key, be inverse process, promptly can be generated one or more uniqueness sign of this key accordingly, as the key of above-mentioned hash function generation, utilize inverse process and this key of hash function, just can obtain former uniqueness sign.
To having the key of a plurality of uniqueness signs, because the computer system platform start-up course has sequencing, therefore, can successively repeatedly check a plurality of sequence numbers, whenever after checking correct a part of sequence number, can read and write a certain partial data, like this, can guarantee that operating platform 11 can start, also can guarantee the safety of data.
After these processes were finished, the user can be as using common operating platform 11 use date safety storing system of the present invention, can installing operating system 712, application software 711 or the like.
Key generates subelement 1211, is used to generate corresponding encryption and decryption key.
As a kind of enforceable mode, control module 123 reads corresponding one or more operating platform 11 uniquenesss sign from operating platform 11, generate key by trust calculation unit 121 according to described one or more operating platform 11 uniquenesss sign, for example, if user's desire will be limited on this TV station computing machine to the read-write of hard disk, then read the mainboard sequence number and generate key, utilize this computing machine of enciphering and deciphering algorithm enciphering/deciphering in the encryption/decryption element 122 reading and writing data of this memory device 13; If the user not only will be limited on this TV station computing machine to the read-write of hard disk, and be limited in Windows XP operating system and application software 711 (for example on the office software of our company), then read main frame mainboard series number, Windows XP operating system sequence number, application software 711 sequence numbers, generate key and preservation by trust calculation unit 121, encryption/decryption element 122 reads key from trust calculation unit 121 then, utilize the application software 711 of corresponding this computing machine of enciphering and deciphering algorithm enciphering/deciphering on Windows XP operating system, to the reading and writing data of this memory device 13.
As an embodiment of the present invention, the key storing sub-units is at trust calculation unit 121 inner group platform configuration registers that are provided with, the uniqueness sign and the key of its storage operation platform 11.
As another embodiment of the present invention,, then also can not store this uniqueness sign, and, obtain this uniqueness sign from key by generating the inverse process of key if key is generated by the uniqueness sign.
From key, pass through to utilize and generate the opposite process of key, be inverse process, promptly can be generated one or more uniqueness sign of this key accordingly, as the key of above-mentioned hash function generation, utilize inverse process and this key of hash function, just can obtain former uniqueness sign.
Encryption/decryption element 122 is used for reading key from trust calculation unit 121, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of read-write between operating platform 11 and the memory device 13 are carried out encryption and decryption.
As shown in Figure 3, described encryption/decryption element 122 comprises reading of data deciphering subelement 1221 and writes data encryption subelement 1222, wherein:
Reading of data deciphering subelement 1221 is used for, these data being intercepted and captured and being resolved during to memory device 13 reading of data at operating platform 11, obtain original enciphered data,, obtain clear data this data decryption, by former transformat clear data is packed then, be transferred to operating platform 11.
Write data encryption subelement 1222, be used for when 11 pairs of memory devices 13 of operating platform write data, these data are intercepted and captured and resolved, obtain original clear data, with this data encryption, obtain enciphered data, by former transformat enciphered data is packed then, be written in the memory device 13 and go.
As shown in Figure 4, described control module 123 comprises initialization subelement 1231, key judgment sub-unit 1232, and read-write control sub unit 1233, wherein:
Because encryption/decryption element 122 and trust calculation unit 121 among the present invention, these two unit all are passive equipment, therefore to make the enforcement that system can be correct, also must there be control module 123 to support operation, control module 123 can be directed operation, can finish the initial work of trust calculation unit 121 and coordinate trust calculation unit 121 and encryption/decryption element 122.Particularly, owing to realize that under the environment that operating system 712 is arranged such control can not realize the protection to operating system 712 deal with data own, therefore, this control module 123 may operate under the environment of no operating system 712.With the personal computer is example, existing calculating when starting, need be prior to operating system 712 operation BIOS or EFI, at this moment, load trust calculation unit 121, the initialization trusted computation environment is about to trusted computation environment and is loaded in BIOS or the EFI environment, the parameter of initialization trusted computation environment can be carried program code etc.
Read-write control sub unit 1233 is used for when operating platform 11 reads the data of memory device 13, and encryption and decryption is carried out in reading and writing data between control 122 pairs of operating platforms 11 of encryption/decryption element and the memory device 13.
At operating platform 11 during to memory device 13 reading of data, read-write control sub unit 1233 control encryption/decryption elements 122 are intercepted and captured these data and resolve, obtain original enciphered data, with this data decryption, obtain clear data, by former transformat clear data is packed then, be transferred to operating platform 11;
When 11 pairs of memory devices 13 of operating platform write data, read-write control sub unit 1233 control encryption/decryption elements 122 are intercepted and captured these data and resolve, obtain original clear data, with this data encryption, obtain enciphered data, by former transformat enciphered data is packed then, be written in the memory device 13 and go.
Like this, at the two ends of operating platform 11 and memory device 13, all need only to store data with original suitable convenience, it is transparent promptly reading and writing data between operating platform 11 and the memory device 13, the user both need not be concerned about how encryption and decryption of data, did not also worry safety of data.
Here need to prove, data are intercepted and captured and resolved, and data are packed by former form, all is the common practise of this area, therefore, describes in detail no longer one by one in embodiments of the present invention.
Preferably, when operating platform 11 and memory device 13 were read and write data, to the control signaling in the transmission, encryption/decryption element 122 was not done any processing, and only itself carries out encryption and decryption to reading and writing data.
This data safety storage device 12, or a kind of hardware device that is independent of operating platform 11 and memory device 13, or the part of memory device 13 control device, or the part of the hardware platform in the operating platform 11 72, for example be connected to the chip on the computer motherboard control bus, or be connected the chip of 13 of operating platform 11 and memory devices, or one section software loading of BIOS chip, or one section software loading of EFI chip.
For the present invention, for different types of memory device 13, only this safe storage device need be connected on the different bus control equipments and just can realize data encryption and deciphering.Therefore, the present invention is transparent for operating platform 11 and memory device 13, that is to say that operating platform 11 and the memory device 13 of realizing this data security storage do not need to carry out any change.
Here a kind of transparent technology of saying comprises two kinds of connotations, one is meant that this technology is transparent for operating system of moving on the operating platform 11 712 or application software 711, operating system 712 and application software 711 are not also known the encryption of data, so operating system 712 or application software also need not be made any extra modification to the enciphering/deciphering process.It two is meant that this technology is transparent for different memory device 13, for different storage mediums or equipment, the ultimate principle of its operation does not change, only need add 122 pairs of data of encryption/decryption element before writing data carries out encryption and decryption, and existing memory device 13 itself does not need additionally to change.
Date safety storing system of the present invention and device, key is created and management designs according to operating platform 11, makes the storage of key and the security of use-pattern all be significantly improved.
As shown in Figure 5, data security storage means of the present invention is described in further detail below, it comprises the following steps:
Step S100 when needs are handled data in the memory device 13, powers on and initialization to operating platform 11, and the initialization trusted computation environment, by the data security storage read-write of the marking matched judgement of uniqueness and 11 pairs of memory devices 13 of control operation platform;
When operating platform 11 needed to handle in the memory devices 13 data, it at first powered on and carries out initialization, at first trusted computation environment is carried out initialization, and then whole operation platform 11 is carried out initialization.The trusted computation environment initialization comprises the initialization to trust calculation unit 121, and judges and confirm whether need encryption and decryption, whether have key to carry out encryption and decryption etc.
Step S200 after confirming to carry out the data security storage read-write to memory device 13, reads key, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of read-write between operating platform 11 and the memory device 13 are carried out encryption and decryption.
Described enciphering and deciphering algorithm includes but not limited in symmetrical enciphering and deciphering algorithm or the asymmetric enciphering and deciphering algorithm one or more.
Described symmetrical enciphering and deciphering algorithm comprises the DES algorithm, IDEA algorithm, aes algorithm etc.
Described asymmetric enciphering and deciphering algorithm comprises RSA Algorithm, Diffie-Hellman algorithm, ECC algorithm etc.
As shown in Figure 6, in step S100, the data security storage read-write by the marking matched judgement of uniqueness and 11 pairs of memory devices 13 of control operation platform specifically comprises the following steps:
Step S110, whether in trusted computation environment have key, if not then change step S120 if judging; Otherwise change step S140;
Step S120, whether judge that 13 of this operating platform 11 and memory devices read and write data needs to carry out enciphering/deciphering; If not, then normally start, the data of read-write between operating platform 11 and the memory device 13 are not carried out any processing, the user normally uses the back to finish; Otherwise change step S130;
Step S130 generates corresponding encryption and decryption key, forwards step S200 to;
As a kind of enforceable mode, utilize and from operating platform 11, read corresponding one or more operating platform 11 uniquenesss sign, can generate key by trust calculation unit 121 according to described one or more operating platform 11 uniquenesss sign.
Step S140 if there has been key to exist in the trust calculation unit 121, then reads the uniqueness sign, and this uniqueness sign and the corresponding uniqueness sign that reads from this operating platform 11 are carried out matching check;
As a kind of enforceable method; coupling control sub unit 1233 is utilizing the encryption and decryption key to carry out the memory device cryptographic key protection; when beginning to discharge the encryption and decryption key and carrying out data encrypting and deciphering, trust calculation unit 121 utilizes the integrity measurement value of preserving in integrity measurement value that this computing generates and the platform configuration register to carry out matching check.Only under the situation of integrity measurement value coupling, just discharge key, otherwise refusal discharges key.
As another kind of embodiment, if there has been key to exist in the trust calculation unit 121, and key is generated by the uniqueness sign, then from key, pass through to utilize and generate the opposite process of key, it is inverse process, promptly can be generated one or more uniqueness sign of this key accordingly, uniqueness sign and the corresponding uniqueness sign that reads from this operating platform 11 are carried out matching check.
Further, as another enforceable method, in trust calculation unit, only preserve key, coupling control sub unit 1233 has had key to exist in confirming trust calculation unit 121, then from trust calculation unit 121, read this key, control trust calculation unit 121 then with this secret key decryption, reduction obtains the uniqueness sign of operating platform 11, and deciphering uniqueness sign of coming out and the corresponding uniqueness sign that reads from this operating platform 11 are carried out matching check by coupling control sub unit 1233, if coupling is passed through, then check and pass through, utilize this key to carry out enciphering/deciphering to reading and writing data; Otherwise, finish to return after providing information.
More preferably, can protect, promptly can specify the password that uses this uniqueness sign the sign of the uniqueness in the trusted computation environment.In other words, the user can specify the password of user when using this uniqueness sign when reading the uniqueness sign, and is different with the password that reads this uniqueness sign if the user enters password, and then do not allow the user to obtain this uniqueness sign.
If the user uses password protection uniqueness sign, in start-up course, require the user to import correct password so, if password correctly just can obtain the uniqueness sign.
To having a plurality of uniqueness signs, because the computer system platform start-up course has sequencing, therefore, can successively repeatedly check a plurality of sequence numbers, whenever after checking correct a part of sequence number, can read and write a certain partial data, like this, can guarantee that operating platform 11 can start, also can guarantee the safety of data.
Step S150 if coupling is passed through, then checks and passes through, and obtains key, forwards step S200 to; Otherwise, provide information after, finish to return.
After these processes were finished, the user can be as using common operating platform 11 use date safety storing system of the present invention, can installing operating system 712, application software 711 or the like.
Among the described step S200 data of read-write between operating platform 11 and the memory device 13 are carried out encryption and decryption.Specifically comprise the following steps;
When operating platform 11 reads data in the memory device 13, these data are intercepted and captured and resolved, obtain original enciphered data, with this data decryption, obtain clear data, by former transformat clear data is packed then, be transferred to operating platform 11;
When 11 pairs of memory devices 13 of operating platform write data, these data are intercepted and captured and resolved, obtain original clear data, with this data encryption, obtain enciphered data, by former transformat enciphered data is packed then, be written in the memory device 13 and go.
As shown in Figure 7, be the transparent date safety storing system exemplary plot of the present invention, because all data enciphering/deciphering read-write operations (comprising software control and hardware handles) to read-write do not need directly to carry out alternately with operating system 712, therefore, for operating system 712, it does not also know that the data of reading and writing are protected by encryption and decryption; Control module 123 operates under BIOS environment or the EFI environment, the key of just having finished encryption/decryption element 122 before operating system 712 is loaded loads, and when memory device 13 read and write data, encryption/decryption element 122 can be finished automatically the encryption and decryption of data is handled in operating system 712.Therefore, for memory device 13, its also and do not know to read and write data and protected by encryption and decryption, it just resembles unencryption and enciphered data is stored in the memory sector in the past and go, and is transparent.
Like this, at the two ends of operating platform 11 and memory device 13, all need only to store data with original suitable convenience, it is transparent promptly reading and writing data between operating platform 11 and the memory device 13, the user both need not be concerned about how encryption and decryption of data, did not also worry safety of data.
In other words, data security storage means of the present invention provides a kind of transparent technical method, is used for the data of read-write between encryption and decryption operating platform 11 and the memory device 13.This encrypting/decrypting method by adopting 121 pairs of keys for encryption/decryption of binding with operating platform 11 of trust calculation unit, adopts 122 pairs of data of encryption/decryption element to carry out encryption/decryption.
In conjunction with the accompanying drawings to the description of the specific embodiment of the invention, others of the present invention and feature are conspicuous to those skilled in the art by above, thereby describe in detail no longer one by one.
Date safety storing system of the present invention and device and method, to operating platform (as computer system, perhaps mobile data transmission system etc.) data of reading and writing in memory device are carried out encryption and decryption, and the encryption and decryption key is by trust calculation unit protection and management with platform binding characteristic in the system, make for the operating system and application software of platform, the data write process is transparent, and is safe; Further; structure and managing keys are guaranteed by trust calculation unit; the security that promptly has hardware-level; this trust calculation unit and operating platform binding; not visiting this operating platform just can't be decrypted institute's enciphered data; thereby guarantee its security more; if promptly this memory device reloads in other the operating platform; the data that are stored in this memory device can not decryptedly be read and write, and this is for portable equipment user, military user or have the user that sensitive data needs protection significant.
More than specific embodiments of the invention are described and illustrate it is exemplary that these embodiment should be considered to it, and be not used in and limit the invention, the present invention should make an explanation according to appended claim.
Claims (37)
1, a kind of date safety storing system comprises operating platform, and memory device is characterized in that, also comprises trust calculation unit, encryption/decryption element, wherein:
Described trust calculation unit, be used for the uniqueness sign of described operating platform is carried out the marking matched judgement of uniqueness, described uniqueness is designated first uniqueness sign, and control the data security storage read-write of described operating platform to described memory device, thereby the key of encryption and decryption is carried out in protection to the data of reading and writing between operating platform and memory device;
Described encryption/decryption element is used to obtain key, and utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of reading and writing between operating platform and the memory device are carried out encryption and decryption.
2, date safety storing system according to claim 1, it is characterized in that, also comprise control module, be used for trust calculation unit and encryption/decryption element are carried out initialization, and control the data that encryption/decryption element utilizes the key encryption and decryption to read and write between operating platform and memory device.
3, date safety storing system according to claim 1 is characterized in that, described key is stored in trust calculation unit.
4, date safety storing system according to claim 1 is characterized in that, described trust calculation unit is also stored first uniqueness sign of the operating platform that is used for matching judgment.
5, date safety storing system according to claim 2 is characterized in that, described control module comprises the key judgment sub-unit, the read-write control sub unit, wherein:
Whether the key judgment sub-unit is used for judging whether trust calculation unit has key, need reading and writing data between operating platform and memory device carried out encryption and decryption, and identify according to second uniqueness of judged result read operation platform;
The read-write control sub unit is used for when operating platform reads the data of memory device, and the control encryption/decryption element carries out encryption and decryption to reading and writing data between operating platform and the memory device.
6, date safety storing system according to claim 5 is characterized in that, described control module also comprises the initialization subelement, being used for operating platform hardware powers up, when initializers are carried out initialization, load trusted computation environment, and the initialization trusted computation environment.
7, date safety storing system according to claim 1 is characterized in that, described encryption/decryption element comprises reading of data deciphering subelement and write the data encryption subelement, wherein:
Reading of data deciphering subelement is used for, these data being intercepted and captured and being resolved during to the memory device reading of data at operating platform, obtain original enciphered data,, obtain clear data this data decryption, by former transformat clear data is packed then, be transferred to operating platform;
Write the data encryption subelement, be used for when operating platform writes data to memory device, these data are intercepted and captured and resolved, obtain original clear data,, obtain enciphered data this data encryption, by former transformat enciphered data is packed then, be written in the memory device and go.
8, date safety storing system according to claim 5, it is characterized in that, described trust calculation unit comprises the coupling control sub unit, be used to read described first uniqueness sign, and described first uniqueness is identified the marking matched inspection of described second uniqueness of reading with described key judgment sub-unit.
9, date safety storing system according to claim 8 is characterized in that, described trust calculation unit also comprises the key storing sub-units, is used to store the encryption and decryption key and first uniqueness sign.
10, date safety storing system according to claim 9 is characterized in that, described trust calculation unit comprises that also key generates subelement, is used for generating corresponding encryption and decryption key according to operating platform first uniqueness sign.
11, date safety storing system according to claim 1, it is characterized in that, described operating platform is a computer system platform, perhaps Single Chip Microcomputer (SCM) system platform, the perhaps network platform of the common client/server of forming of the network of the described mobile phone of mobile phone, PDA, USB flash disk, MP3, MP4 and operation, PDA, USB flash disk, MP3, MP4.
12, date safety storing system according to claim 1 is characterized in that, described memory device is RAM, perhaps hard disk, the perhaps combination of more than one in the flash memory.
13, date safety storing system according to claim 1 is characterized in that, described uniqueness sign for computer system, comprising:
The series number of computer motherboard; Perhaps
The central processing unit sequence number; Perhaps
Equipment Serial Number; Perhaps
The operating system sequence number; Perhaps
The combination of more than one in the application software sequence number.
14, date safety storing system according to claim 1 is characterized in that, described uniqueness sign for communications network system, comprising:
The SIM card of mobile phone number; Perhaps
A kind of or both combinations in the international mobile phone identification code of mobile phone.
15, date safety storing system according to claim 1 is characterized in that, described uniqueness is designated carries out Hash operation to the characteristic of representing software platform, hardware platform in the operating platform, the integrity measurement value of gained result of calculation.
16, date safety storing system according to claim 10 is characterized in that, it is to generate the encryption and decryption key by hash function that described key generates subelement.
17, date safety storing system according to claim 1 is characterized in that, described enciphering and deciphering algorithm is more than one the combination in DES algorithm, IDEA algorithm, aes algorithm, RSA Algorithm, Diffie-Hellman algorithm, the ECC algorithm.
18, a kind of data safety storage device is electrically connected with operating platform and memory device, it is characterized in that, comprises trust calculation unit, encryption/decryption element, wherein:
Described trust calculation unit, be used for the uniqueness sign of described operating platform is carried out the marking matched judgement of uniqueness, described uniqueness is designated first uniqueness sign, and control the data security storage read-write of described operating platform to described memory device, thereby the key of encryption and decryption is carried out in protection to the data of reading and writing between operating platform and memory device;
Described encryption/decryption element is used to obtain key, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of reading and writing between operating platform and the memory device are carried out encryption and decryption.
19, data safety storage device according to claim 18, it is characterized in that, also comprise control module, be used for trust calculation unit and encryption/decryption element are carried out initialization, and control the data that encryption/decryption element utilizes the key encryption and decryption to read and write between operating platform and memory device.
20, data safety storage device according to claim 18 is characterized in that, described key is stored in trust calculation unit.
21, data safety storage device according to claim 18 is characterized in that, described trust calculation unit is also stored first uniqueness sign of the operating platform that is used for matching judgment.
22, data safety storage device according to claim 18 is characterized in that, described control module comprises the key judgment sub-unit, the read-write control sub unit, wherein:
Whether the key judgment sub-unit is used for judging whether trust calculation unit has key, need reading and writing data between operating platform and memory device carried out encryption and decryption, and identify according to second uniqueness of judged result read operation platform;
The read-write control sub unit is used for when operating platform reads the data of memory device, and the control encryption/decryption element carries out encryption and decryption to reading and writing data between operating platform and the memory device.
23, data safety storage device according to claim 22 is characterized in that, described control module also comprises the initialization subelement, being used for operating platform hardware powers up, when initializers are carried out initialization, load trusted computation environment, and the initialization trusted computation environment.
24, data safety storage device according to claim 18 is characterized in that, described encryption/decryption element comprises reading of data deciphering subelement and write the data encryption subelement, wherein:
Reading of data deciphering subelement is used for, these data being intercepted and captured and being resolved during to the memory device reading of data at operating platform, obtain original enciphered data,, obtain clear data this data decryption, by former transformat clear data is packed then, be transferred to operating platform;
Write the data encryption subelement, be used for when operating platform writes data to memory device, these data are intercepted and captured and resolved, obtain original clear data,, obtain enciphered data this data encryption, by former transformat enciphered data is packed then, be written in the memory device and go.
25, data safety storage device according to claim 22, it is characterized in that, described trust calculation unit comprises the coupling control sub unit, be used to read described first uniqueness sign, and described first uniqueness is identified the marking matched inspection of described second uniqueness of reading with described key judgment sub-unit.
26, data safety storage device according to claim 25 is characterized in that, described trust calculation unit also comprises the key storing sub-units, is used to store encryption and decryption key and uniqueness sign.
27, data safety storage device according to claim 26 is characterized in that, described trust calculation unit comprises that also key generates subelement, is used for generating corresponding encryption and decryption key according to operating platform uniqueness sign.
28, data safety storage device according to claim 18 is characterized in that, described data safety storage device is a kind of hardware device that is independent of operating platform and memory device.
29, a kind of data security storage means is characterized in that, comprises the following steps:
Steps A, when needs are handled data in the memory device, operating platform is powered on and initialization, and initialization trusted computation environment, uniqueness sign to described operating platform is carried out matching judgment, described uniqueness is designated first uniqueness sign, and the control operation platform is to the data security storage read-write of memory device;
Step B after confirming to carry out the data security storage read-write to memory device, reads key, utilizes the corresponding enciphering and deciphering algorithm of setting, and the data of reading and writing between operating platform and the memory device are carried out encryption and decryption.
30, data security storage means according to claim 29 is characterized in that, in the described steps A,, specifically comprises the following steps: the data security storage read-write of memory device by the marking matched judgement of uniqueness and control operation platform
Steps A 1, whether in trusted computation environment have key, if not then change steps A 2 if judging; Otherwise change steps A 4;
Steps A 2, whether judging reads and writes data between this operating platform and memory device needs to carry out encryption and decryption; If not, then normally start, the data of reading and writing between operating platform and the memory device are not carried out any processing, the user normally uses the back to finish; Otherwise change steps A 3;
Steps A 3 generates corresponding encryption and decryption key, forwards step B to;
Steps A 4 if there has been key to exist in the trust calculation unit, then reads first uniqueness sign, and this first uniqueness sign and second uniqueness sign that reads from this operating platform are carried out matching check;
Steps A 5 if coupling is passed through, is then checked and is passed through, and obtains key, forwards step B to; Otherwise, provide information after, finish to return.
31, data security storage means according to claim 30 is characterized in that, described steps A 4 also comprises the following steps:
When reading first uniqueness sign, specify to require the user to check password, different if the user enters password with the password of this first uniqueness sign, then do not allow the user to obtain this first uniqueness sign.
32, according to each described data security storage means of claim 29 to 31, it is characterized in that, among the described step B data of reading and writing between operating platform and the memory device are carried out encryption and decryption, specifically comprise the following steps:
Step B1 when operating platform reads data in the memory device, intercepts and captures these data and resolve, and obtains original enciphered data, with this data decryption, obtains clear data, by former transformat clear data is packed then, is transferred to operating platform;
Step B2 when operating platform writes data to memory device, intercepts and captures these data and resolve, and obtains original clear data, with this data encryption, obtains enciphered data, by former transformat enciphered data is packed then, is written in the memory device and goes.
According to each described data security storage means of claim 29 to 31, it is characterized in that 33, described uniqueness sign for computer system, comprising:
The series number of computer motherboard; Perhaps
The central processing unit sequence number; Perhaps
Equipment Serial Number; Perhaps
The operating system sequence number; Perhaps
The combination of more than one in the application software sequence number.
According to each described data security storage means of claim 29 to 31, it is characterized in that 34, described uniqueness sign for communications network system, comprising:
The SIM card of mobile phone number; Perhaps
A kind of or both combinations in the international mobile phone identification code of mobile phone.
35, according to each described data security storage means of claim 29 to 31, it is characterized in that, described uniqueness is designated carries out Hash operation to the characteristic of representing software platform, hardware platform in the operating platform, the integrity measurement value of gained result of calculation.
36, data security storage means according to claim 30 is characterized in that, described key is generated as according to the uniqueness sign and generates the encryption and decryption key by hash function.
37, data security storage means according to claim 36 is characterized in that, described enciphering and deciphering algorithm is more than one the combination in DES algorithm, IDEA algorithm, aes algorithm, RSA Algorithm, Diffie-Hellman algorithm, the ECC algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100626956A CN100487715C (en) | 2007-01-12 | 2007-01-12 | Date safety storing system, device and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100626956A CN100487715C (en) | 2007-01-12 | 2007-01-12 | Date safety storing system, device and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101034424A CN101034424A (en) | 2007-09-12 |
| CN100487715C true CN100487715C (en) | 2009-05-13 |
Family
ID=38730974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100626956A Active CN100487715C (en) | 2007-01-12 | 2007-01-12 | Date safety storing system, device and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100487715C (en) |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101794260A (en) * | 2010-03-11 | 2010-08-04 | 上海北大方正科技电脑系统有限公司 | Automatically imported method of encryption key for mobile storage device |
| CN102207999A (en) * | 2010-03-29 | 2011-10-05 | 国民技术股份有限公司 | Data protection method based on trusted computing cryptography support platform |
| CN102436568B (en) * | 2010-09-29 | 2014-12-17 | 苏州慧尔科技发展有限公司 | Computer external encryption device with storage function and encryption and decryption method utilizing same |
| CN102930212B (en) * | 2011-01-18 | 2016-03-02 | 苏州国芯科技有限公司 | For the anti-leakage of data method of office system |
| CN102193876A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Methods for encrypting and decrypting hard disk driver of personal finance service equipment |
| CN102270182B (en) * | 2011-07-04 | 2014-04-23 | 济南伟利迅半导体有限公司 | Encrypted mobile storage equipment based on synchronous user and host machine authentication |
| CN102270183A (en) * | 2011-07-08 | 2011-12-07 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for increasing security of data card |
| CN103020509B (en) * | 2011-09-26 | 2017-06-13 | 深圳市顶星科技有限公司 | A kind of terminal device encryption and decryption method, device and terminal device |
| EP2812838B1 (en) * | 2012-02-07 | 2018-12-12 | Bundesdruckerei GmbH | Method for initializing a memory area that is associated with a smart meter |
| DE102012201810A1 (en) * | 2012-02-07 | 2013-08-08 | Bundesdruckerei Gmbh | Method for initializing a memory area associated with a smart meter |
| CN102932762B (en) * | 2012-09-20 | 2015-03-25 | 无锡华御信息技术有限公司 | Remote centralized management control encryption system and method for mobile storage equipment based on global system for mobile communication (GSM) |
| EP2879327A4 (en) * | 2013-09-30 | 2015-06-03 | Huawei Tech Co Ltd | Encryption and decryption processing method, apparatus and device |
| CN105447402A (en) * | 2014-09-28 | 2016-03-30 | 酷派软件技术(深圳)有限公司 | Data processing method and data processing apparatus |
| US9584317B2 (en) * | 2014-10-13 | 2017-02-28 | Microsoft Technology Licensing, Llc | Identifying security boundaries on computing devices |
| CN104376269A (en) * | 2014-12-11 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | File encryption method based on trusted cryptographic module |
| CN104951409B (en) * | 2015-06-12 | 2019-03-08 | 中国科学院信息工程研究所 | A kind of hardware based full disk encryption system and encryption method |
| CN105187453A (en) * | 2015-10-22 | 2015-12-23 | 宁波三星医疗电气股份有限公司 | Security encryption communication method of fault indicator |
| CN105939192A (en) * | 2016-02-29 | 2016-09-14 | 杭州迪普科技有限公司 | Data encryption method and device |
| CN105975860B (en) * | 2016-04-26 | 2019-04-05 | 珠海豹趣科技有限公司 | A kind of trust file management method, device and equipment |
| US20170372085A1 (en) * | 2016-06-28 | 2017-12-28 | HGST Netherlands B.V. | Protecting data in a storage device |
| CN106027563A (en) * | 2016-07-08 | 2016-10-12 | 上海瀚银信息技术有限公司 | Sensitive data encryption and decryption device and method, and transaction system |
| CN106326757A (en) * | 2016-08-26 | 2017-01-11 | 浪潮(北京)电子信息产业有限公司 | Data encryption device of storage system |
| CN106850819A (en) * | 2017-02-17 | 2017-06-13 | 深圳市中博睿存信息技术有限公司 | A kind of method and system for improving object storage security |
| CN107563213B (en) * | 2017-09-29 | 2020-09-08 | 北京计算机技术及应用研究所 | Safety secrecy control device for preventing data extraction of storage equipment |
| CN109063489A (en) * | 2018-08-28 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of starting method and device |
| CN109784074A (en) * | 2018-12-29 | 2019-05-21 | 播金信息科技(上海)有限公司 | Data storage security guard method, system and computer readable storage medium based on DNA characteristics and/or block chain |
| CN109756496B (en) * | 2018-12-29 | 2022-02-01 | 播金信息科技(上海)有限公司 | Data network transmission security protection method based on DNA characteristics and block chains and computer readable storage medium |
| CN110543772A (en) * | 2019-08-23 | 2019-12-06 | 厦门市美亚柏科信息股份有限公司 | Offline decryption method and device |
| CN110598429B (en) * | 2019-08-30 | 2021-07-13 | 百富计算机技术(深圳)有限公司 | Data encryption storage and reading method, terminal equipment and storage medium |
| CN112487502B (en) * | 2020-12-15 | 2024-09-10 | 深圳平安智慧医健科技有限公司 | Device authentication method and device, electronic device and storage medium |
| CN112836221B (en) * | 2021-01-13 | 2024-02-06 | 深圳安捷丽新技术有限公司 | Multi-security-level partition portable solid state disk and design method thereof |
| CN112966284A (en) * | 2021-03-26 | 2021-06-15 | 知印信息技术(天津)有限公司 | File encryption and decryption method and system and computer readable storage medium |
| CN113536349A (en) * | 2021-07-23 | 2021-10-22 | 优材优建(青岛)电子商务科技有限公司 | Bidding quotation anti-leakage method |
-
2007
- 2007-01-12 CN CNB2007100626956A patent/CN100487715C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101034424A (en) | 2007-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100487715C (en) | Date safety storing system, device and method | |
| US11669637B2 (en) | Decentralized token table generation | |
| US12051064B2 (en) | Transaction messaging | |
| RU2371756C2 (en) | Safety connection to keyboard or related device | |
| CN102271037B (en) | Based on the key protectors of online key | |
| CN101551784B (en) | Method and device for encrypting data in ATA memory device with USB interface | |
| CN105450620A (en) | Information processing method and device | |
| JP2007506392A (en) | Data communication security mechanisms and methods | |
| CN109768862B (en) | A kind of key management method, key call method and cipher machine | |
| JP2009103774A (en) | Secret sharing system | |
| CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
| CN111294203B (en) | Information transmission method | |
| US10027639B2 (en) | IC chip performing access control based on encrypted ID | |
| EP2629225A1 (en) | System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction | |
| CN105468940A (en) | Software protection method and apparatus | |
| US8532300B1 (en) | Symmetric is encryption key management | |
| CN109510702A (en) | A method of it key storage based on computer characteristic code and uses | |
| CN114942729A (en) | Data safety storage and reading method for computer system | |
| CN100561913C (en) | A kind of method of access code equipment | |
| CN107078897A (en) | Cipher Processing for the presumption of out-of-sequence data | |
| CN112115491A (en) | Symmetric encryption key protection method, device, equipment and storage medium | |
| CN110740036A (en) | Anti-attack data confidentiality method based on cloud computing | |
| CN104392153A (en) | Software protection method and system | |
| JP4937921B2 (en) | A secure interface for generic key derivation function support | |
| CN108921561B (en) | Digital hot wallet based on hardware encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Assignee: Zhaori Science & Technology (Shenzhen) Co., Ltd. Assignor: Zhaori Tech Co., Ltd., Shenzhen Contract fulfillment period: 2009.2.28 to 2027.9.11 contract change Contract record no.: 2009990000224 Denomination of invention: Date safety storing system, device and method License type: Exclusive license Record date: 2009.3.26 |
|
| LIC | Patent licence contract for exploitation submitted for record |
Free format text: EXCLUSIVE LICENSE; TIME LIMIT OF IMPLEMENTING CONTACT: 2009.2.28 TO 2027.9.11; CHANGE OF CONTRACT Name of requester: ZHAORI SCIENCE + TECHNOLOGY (SHENZHEN) CO., LTD. Effective date: 20090326 |
|
| ASS | Succession or assignment of patent right |
Owner name: SINOSUN TECHNOLOGY (SHENZHEN) CO., LTD. Free format text: FORMER OWNER: SHENZHEN SINOSUN TECH CO., LTD. Effective date: 20100622 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518040 BLOCK C-3, 6/F, BUILDING 213, TAIRAN 9TH ROAD, FUSHAN DISTRICT, SHENZHEN CITY, GUANGDONG PROVINCE TO: 518040 TOWER C, 6/F, BUILDING 213, TAIRAN INDUSTRY DISTRICT, CHEGONGMIAO, FUTIAN DISTRICT, SHENZHEN CITY |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100622 Address after: 518040 Shenzhen city Futian District Che Kung Temple Tairan industrial district 213 building 6 floor C block Patentee after: Sinosun Technology (Shenzhen) Co., Ltd. Address before: 518040 Guangdong province Fushan District of Shenzhen City Tairan nine Road 213 building 6 floor C-3 block Patentee before: Zhaori Tech Co., Ltd., Shenzhen |
|
| C56 | Change in the name or address of the patentee |
Owner name: SHENZHEN ZHAORI TECHNOLOGY CO., LTD. Free format text: FORMER NAME: ZHAORI SCIENCE + TECHNOLOGY (SHENZHEN) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 518040 Shenzhen city Futian District Che Kung Temple Tairan industrial district 213 building 6 floor C block Patentee after: Shenzhen Sinosun Technology Co., Ltd. Address before: 518040 Shenzhen city Futian District Che Kung Temple Tairan industrial district 213 building 6 floor C block Patentee before: Sinosun Technology (Shenzhen) Co., Ltd. |